Phreak Phone Museum

 ____  _                     _       ____  _                      __  __
|  _ \| |__  _ __ ___  __ _ | | __  |  _ \| |__   ___  _ __   ___|  \/  |_   _ ___  ___ _   _ _ __ ___
| |_) | '_ \| '__/ _ \/ _` || |/ /  | |_) | '_ \ / _ \| '_ \ / _ \ |\/| | | | / __|/ _ \ | | | '_ ` _ \
|  __/| | | | | |  __/ (_| ||   <   |  __/| | | | (_) | | | |  __/ |  | | |_| \__ \  __/ |_| | | | | | |
|_|   |_| |_|_|  \___|\__,_||_|\_\  |_|   |_| |_|\___/|_| |_|\___|_|  |_|\__,_|___/\___|\__,_|_| |_| |_|

// hacker history, 2600 Hz lore, and the burner phones that still register in 2026

00 · Overview

A hacker-history project about the phones that shaped phreaking culture and the ones you can still actually use in 2026.

Why this exists

The Motorola Razr and its ancestors aren't just nostalgia — they're the physical layer of an entire subculture. From Joybubbles whistling 2600 Hz in the 60s, to Wozniak and Jobs hand-building blue boxes, to the 2022 3G sunset that bricked a generation of feature phones, "the phone" has always been the hacker's first target and first toy.

The one-line thesis

Sections

01 — The phreak era: 2600 Hz, blue boxes, Cap'n Crunch, the birth of 2600 Magazine
02 — The network graveyard: US sunset timeline, what "works today" means
03 — Buying guide: dumb phones, flips, BlackBerry QWERTYs, Razr heirs
04 — Razr V3 deep dive: launch, design, sales, why it's bricked

★ Essentials: Why Old Phones in 2026

If you landed here without context: this museum exists for two overlapping audiences. People who love old phones (the Razr click, the Nokia ringtone, the sidekick's clacking QWERTY) and people who are trying to slip the surveillance state (no apps, no ad SDKs, no always-on microphone, no 47 background services calling home every 30 seconds). Both reasons lead to the same aisle of eBay.

The two honest answers to "Can I use an old phone today?"

If you want a device that makes calls on US carriers in 2026 — you need a phone with a 4G LTE radio + VoLTE on the right bands + carrier certification. The floor is roughly 2013–2014 hardware (Galaxy S5, iPhone 6, Kyocera DuraXE). Everything older is a brick in the US, though often still works in Europe, Mexico, and much of the world on 2G GSM.
If you just want to hold a Razr V3 and feel 2004 again — eBay has 10,000 of them for $20. It'll power on. It won't make calls on any US network. It's a sculptural object now, and that's fine.

The privacy/surveillance angle (what a "dumb phone" actually gets you)

Dumb phones don't save you from location tracking. E911 (1999 federal law) requires every US cell phone to deliver location to PSAPs. Your carrier knows where you are every time you register with a tower — dumb phone or not. What a dumb phone does give you:

No app surveillance. No Facebook SDK, no AdMob, no TikTok background, no 47 always-on services.
Much smaller attack surface. No browser in many cases; no sideloading; no WebView.
Longer battery. Days or weeks vs hours.
Freedom from the notification dopamine loop. This is the actual product most dumb-phone buyers pay for.

What it doesn't get you: invisibility to your carrier, invisibility to law enforcement with a warrant, invisibility to IMSI catchers (Stingrays), or exemption from E911 location delivery.

What this museum covers (and where to start)

New here? Start at 01 — Phreak History for the 2600 Hz story, then 02 — Network Graveyard for what killed old phones.
Trying to buy a phone? Jump to 17 — Phone Finder for the full filterable list, or 12 — Purchase Guide for OPSEC considerations.
Privacy-focused? See 04 — GPS Myth (the primer) and 06 — Privacy & Surveillance (the deep dive: IMSI catchers, SS7, baseband exploits).
Restoring a vintage phone? 08 — Phone Anatomy & Restoration and 16 — Retro Projects.
Looking at alternatives to phones entirely? 09 — Related Comms Tech — pagers, satellite, mesh networks, HAM.

The one-line thesis, restated

Old phones stopped working because the network moved, not because the hardware failed. A 2004 Razr V3 in a drawer is still mechanically perfect — it's just trying to shake hands with a tower that no longer speaks 2G GSM. Understanding what your phone can and cannot do in 2026 is mostly about understanding what the network speaks.

01 · Phreak History: 2600 Hz and the Blue Box Era

The frequency that started it all

Before "hacker" meant anything in computing, it meant phone phreak. The entire subculture hinged on a single tone: 2600 Hz.

AT&T's long-distance network in the 1960s was in-band signaled — the same copper pair that carried your voice also carried the control tones the switches used to route calls. When a trunk line was idle, the switch emitted a continuous 2600 Hz tone. When you hung up, your local exchange sent 2600 Hz upstream to say "caller is gone, release the line."

The exploit: if you played 2600 Hz into the handset mid-call, the long-distance switch thought you'd hung up — but your local exchange, which used different signaling, still considered the call active. The trunk was now "yours," and you could send multi-frequency (MF) tones to dial anywhere on the planet, toll-free.

Joybubbles (Joe Engressia)

Joseph Engressia — later legally renamed Joybubbles — was born blind with perfect pitch. As a child in the late 1950s he discovered he could whistle 2600 Hz into a phone and get free long distance. He is patient zero of phreaking. No tools. Just a mouth.

Captain Crunch and the cereal-box whistle

In 1963 the Cap'n Crunch cereal box shipped a plastic bosun's whistle as a prize. By pure coincidence, when you covered one of its two holes, it emitted an almost-perfect 2600 Hz tone. John Draper — later "Captain Crunch" — weaponized it. The whistle became the iconic artifact of the phreak era.

The blue box

Whistling was fragile. The next step was the blue box — a handheld tone generator that produced 2600 Hz plus the full MF signaling set (700, 900, 1100, 1300, 1500, 1700 Hz pair combinations) to dial any number on the trunk network. Early versions were built from Farfisa organs, doorbells, and cassette recorders. Later ones were custom PCB designs.

The Wozniak/Jobs connection

Steve Wozniak read Ron Rosenbaum's 1971 Esquire article "Secrets of the Little Blue Box" and went all-in. He designed a digital blue box using TTL logic — more reliable than the analog versions. Steve Jobs handled sales. They sold roughly 200 units door-to-door in Berkeley dorms at $150 each.

"If it hadn't been for the blue boxes, there would have been no Apple. I'm 100% sure of that." — Steve Jobs

The same two people who built Apple I first built a tool to commit federal toll fraud.

2600: The Hacker Quarterly

Founded in 1984 by Eric Corley (aka Emmanuel Goldstein), named directly after the tone. Still published today. The magazine turned phreak folklore into hacker canon and became the cultural bridge between analog phreaking and computer hacking.

Why phreaking died

Two reasons, both structural:

Out-of-band signaling (SS7). By the late 1980s the phone network moved call-control signaling off the voice path onto a completely separate digital network (Signaling System 7). You cannot whistle into SS7. The 2600 Hz exploit was gone.
Digital cell networks. Starting in the 1990s, wireless moved to GSM and CDMA with cryptographic authentication. The game shifted to SIM cloning, IMSI catchers, and SS7 attacks — a different, much harder sport.

Phreaking didn't lose. It evolved into every modern telecom security discipline.

02 · The Network Graveyard

The core problem

A phone is useless without a network that will talk to it. US carriers have systematically retired older radio protocols to reclaim spectrum for 4G LTE and 5G. If your phone only speaks a dead protocol, it is a brick — even if the battery still holds charge.

Sunset timeline (US)

Protocol	Carrier	Shutdown date
2G GSM	AT&T	January 1, 2017
2G CDMA	Verizon	December 31, 2020
3G UMTS	AT&T	February 22, 2022
3G CDMA (Sprint)	T-Mobile	March 31, 2022
4G LTE (Sprint)	T-Mobile	June 30, 2022
3G UMTS (T-Mobile)	T-Mobile	July 1, 2022
3G CDMA	Verizon	December 31, 2022
2G GSM	T-Mobile	April 2, 2024

What "still works" means in 2026

To register on a US network today a phone needs:

4G LTE radio on carrier-appropriate bands (Band 2, 4, 5, 12, 13, 17, 66 are the important ones)
VoLTE (Voice over LTE) support — voice calls are now VoIP-over-LTE; LTE data alone isn't enough to make calls
Ideally carrier certification / IMEI whitelist entry. Verizon in particular refuses to activate phones not on its approved list, even if the radio is technically compatible

Phones that used to work and now don't [BRICKED]

Original Motorola Razr V3 (2G GSM)
Motorola StarTAC (TDMA/AMPS)
Nokia 3310 original, Nokia 5110, Nokia 6110 (2G GSM)
BlackBerry Bold 9000, Curve, Pearl (2G/3G)
iPhone 4 / 4S (3G only for voice)
Sidekick (T-Mo 2G/3G)
Nextel iDEN phones (iDEN shut down 2013)

Phones that still work [ALIVE]

Nokia 2780 Flip — 4G LTE + VoLTE, all 3 major US carriers
Light Phone II / III — LTE + VoLTE
Sonim XP3plus — carrier-certified rugged LTE
Unihertz Titan — Android LTE, universal bands, QWERTY
iPhone 6s and up — LTE + VoLTE
Samsung Galaxy S5 and up — LTE + VoLTE

The international escape hatch

If you absolutely must use a 2G/3G phone, much of Europe, Latin America, and parts of Southeast Asia still run 2G GSM (often for IoT/M2M). A Razr V3 will still make calls in, say, Germany or Mexico on a local SIM — just not at home. Some hobbyists also run private GSM base stations (Osmocom OpenBSC, YateBTS) in Faraday cages to light up vintage phones for display and museum use. That is legal only if the RF is fully contained.

03 · Motorola Razr V3: Deep Dive

The unveiling

Motorola CEO Edward Zander unveiled the Razr V3 at a press event in Chicago on July 27, 2004. It went on sale in Europe in September 2004 and in the United States in November 2004. Its internals were nothing special. Its exterior was the point.

Why it mattered

Industrial designer Chris Arnholt was responsible for the Razr's defining features:

Aluminum-clad body, 14 mm thin — unheard of at the time for a flip phone
Electroluminescent keypad milled from a single metal wafer (no separate keys — the entire surface was one chemically-etched nickel sheet lit from underneath)
External glass screen embedded flush into the lid
Internally-hinged antenna (goodbye, stubby rubber nub)
Custom blue backlight that became visual shorthand for "this is the future"

The name "Razr" was coined by executive Geoffrey Frost, who also pushed the premium-fashion marketing strategy.

The sales curve

Milestone	Units
End of 2004	~750,000 (already ahead of internal projections)
July 2006	50 million
Late 2007	~100 million
2008–2011 (official)	~110 million
Frequently cited lifetime total	~130 million

The V3 was the best-selling phone in the United States in 2005, 2006, and 2007, and remained best-selling until the latter half of 2008, when the iPhone 3G finally dethroned it.

The cultural artifact

Seen in the hands of David Beckham, Reese Witherspoon, Paris Hilton. Featured in The Devil Wears Prada, 24, countless 2005-era music videos. The sound of the hinge snapping shut became a cinematic shorthand for "this conversation is over." It's genuinely one of maybe five phones that ever achieved pure cultural icon status (iPhone, BlackBerry, Razr, Nokia 3310, Sidekick).

Why it's dead in 2026

The original V3 is a 2G GSM 850/900/1800/1900 MHz phone. No UMTS, no LTE, no VoLTE, no CDMA. Every US carrier has retired the protocols it speaks:

AT&T 2G GSM: shut down January 1, 2017
T-Mobile 2G GSM: shut down April 2, 2024

There is no software update path. The radio is the radio. A V3 in the US in 2026 will power on, display "No Service," and drain its battery doing nothing.

Where it still works

Parts of Germany, France, Italy (2G GSM preserved for M2M/IoT until at least 2028 in some markets)
Mexico (Telcel/Movistar still run 2G in many regions)
Much of Africa and Southeast Asia
Private GSM base stations inside RF-shielded enclosures (Osmocom / YateBTS hobby setups, legal only if contained)

Why it's still worth owning

Even dead, the V3 is a masterclass in industrial design. A drawer Razr is a physical bookmark to the moment before the smartphone flattened every phone into the same black rectangle. Keep one. Don't activate it. Open and close it occasionally. Remember what "phones used to feel like" meant.

04 · The GPS Myth: Why Your "Dumb Phone" Isn't As Dark As You Think

A very common reason people buy dumb phones is the belief that they're escaping tracking — "no GPS, no camera, no surveillance." That's mostly a myth. Here's why.

The law that changed everything: E911 Phase II

In October 1999, the Wireless Communications and Public Safety Act of 1999 ("the 9-1-1 Act") was signed into US law. It directed the FCC to require wireless carriers to deliver actual caller location to Public Safety Answering Points (PSAPs) when someone dialed 911 from a cell phone.

The FCC implemented this as Enhanced 911 (E911), rolled out in two phases:

Phase I (1998): Carrier must deliver the callback number and the cell tower/sector the call originated from. Rough — accurate to maybe a square mile in rural areas.
Phase II (2001 onward): Carrier must deliver the caller's latitude and longitude, accurate to 50–300 meters depending on technology, within 6 months of a PSAP request.

The FCC deadline: 95% of a carrier's in-service phones had to be "location capable" by December 31, 2005. Carriers who missed it were fined.

Two ways to be "location capable"

The FCC didn't mandate GPS specifically. It mandated the outcome (accurate lat/long). Carriers picked between two approaches:

Network-based location — triangulation from cell towers using time-of-arrival and signal-strength math. No change needed to the handset. Used heavily on older CDMA networks (early Verizon).
Handset-based location — put a GPS receiver inside the phone, let the phone self-locate, and send the fix over the cellular network. More accurate, especially indoors with A-GPS (Assisted GPS, which uses cell-tower data + downloaded satellite almanac to get a fix in seconds instead of minutes).

By the mid-2000s, handset-based won. It was cheaper, more accurate, and carriers didn't have to upgrade every tower. The result: essentially every cell phone sold in the US since roughly 2005 ships with a GPS chip, including feature phones, flip phones, and rugged burners.

So yes — your Nokia 2780 Flip has GPS

Pick any "dumb phone" from the buying guide above. Check the spec sheet. You will find GPS listed on almost all of them:

Nokia 2780 Flip: GPS yes, plus Google Maps preinstalled via KaiOS
HMD Barbie Phone: GPS yes (it's literally a re-skinned 2780)
Sonim XP3plus: GPS + GLONASS, used specifically for field-worker location tracking
Kyocera DuraXV/DuraXE: GPS + location services, Verizon push-to-talk uses it
Light Phone II / III: GPS yes — turn-by-turn navigation is one of the few features they include
Punkt MP02: GPS yes
Unihertz Titan: full Android, full GPS, full everything

The handful of exceptions are old-stock 2G imports, gray-market European candybars, and a few niche Amish-market devices that intentionally strip GPS hardware. They're also the ones that won't register on US networks anyway.

The honest framing: dumb phones don't save you from location tracking. They save you from app-based tracking — ad SDKs, social-media fingerprinting, 47 background services phoning home every 30 seconds, TikTok reading your clipboard. The carrier still knows where you are. The FCC requires it. Every modern phone, smart or dumb, hands your location to the network every time it registers with a tower. The GPS chip is just the optional second pathway.

What dumb phones actually give you

No app surveillance — no Facebook SDK, no AdMob, no TikTok, no always-on microphones feeding ML models
No notification dopamine loop — the real product
Much smaller attack surface — fewer exploitable components, no browser in many cases
Long battery life — days to weeks instead of hours
Physical durability — no cracked screens, no glass sandwiches
Cost — $50–$300 vs $1000+

What they don't give you: invisibility to your carrier, invisibility to law enforcement with a warrant, invisibility to IMSI catchers, or exemption from E911 location delivery. A burner phone in the traditional sense — bought for cash, tossed after one use — still works for identity obfuscation, but not location obfuscation while it's powered on.

And the camera question

Most modern feature phones do include a low-res camera (VGA to 5MP), because it costs pennies and enables MMS. If you want a camera-free phone specifically (for classified facilities, SCIFs, prison use, etc.), look at:

Sonim XP3 Plus "No Camera" SKU — deliberately manufactured without the camera module for secure-facility use
Kyocera DuraXE Epic Non-Camera version — same story, sold to government and industrial buyers
Punkt MP02 — no camera at all, by design

These are the genuine camera-free options. A regular Nokia 2780 will have a camera. A regular Razr V3 had one too (the 2004 model shipped with a 0.3 MP camera — even then).

05 · The Oldest Cell Phone That Still Works

"Works" is the whole question. There are three honest answers, and they give wildly different dates. This section lays out all three tiers with the specific phones that qualify.

Tier 1 — Still works on a US carrier in 2026

Floor: roughly 2013–2014 hardware. The hard requirement is VoLTE (Voice over LTE), because US carriers no longer route voice through 2G/3G circuit-switched fallback. A phone can have perfect LTE data and still be useless for calls if it can't do VoLTE. These are the oldest phones that still cross that bar:

Phone	Released	Notes
Samsung Galaxy S4	April 2013	Some variants only (mainly T-Mobile). Earliest mainstream phone with VoLTE support. Needs to be a US variant.
LG G2	Sept 2013	Variant-dependent. T-Mobile and Verizon units work, international GSM ones often don't.
Samsung Galaxy Note 3	Sept 2013	Late 2013 US variants with VoLTE firmware.
Samsung Galaxy S5	April 2014	Broad VoLTE support across all major US carriers. The first "safe bet" from this era.
HTC One M8	March 2014	VoLTE on AT&T and Verizon variants.
LG G3	May 2014	VoLTE across US carriers.
Motorola Moto X (2nd gen)	Sept 2014	VoLTE on all US carriers.
iPhone 6 / 6 Plus	Sept 2014	First iPhone with full US VoLTE. Floor for the entire iPhone line — 5s and earlier are US-dead.
Samsung Galaxy Note 4	Oct 2014	VoLTE all carriers.
Kyocera DuraXE (original)	2015	Rugged flip, VoLTE, still sold today. One of the oldest feature phones in this tier.

Everything older than this is bricked on US networks. The iPhone 5s (2013), Galaxy S3 (2012), every BlackBerry Bold and Classic, every pre-2013 Motorola — all of them power on, all of them are useless. The cutoff is sharp and unforgiving.

Verizon wrinkle: even within this tier, Verizon maintains an IMEI whitelist and rejects many perfectly-VoLTE-capable phones. AT&T and T-Mobile are more permissive. If you're picking an old phone to activate in 2026, assume T-Mobile or AT&T first.

Tier 2 — Still works somewhere in the world

Floor: 1992. 2G GSM was launched commercially in July 1991 on Radiolinja in Finland, and 2G GSM networks remain live in 2026 in parts of Germany, France, Italy, Switzerland, Mexico, Ecuador, much of sub-Saharan Africa, Southeast Asia, Australia (until 2027 in some states), and island nations. Any GSM phone from 1992 onward will register on those networks with a local SIM.

Phone	Year	Why it matters
Nokia 1011	Nov 1992	The trophy. First mass-produced GSM handset. ~34 years old and still capable of making a real call in Germany or Mexico today. This is the ceiling.
Motorola International 3200	1992	First commercial GSM handset to actually ship. Brick-shaped, same 2G GSM as the 1011.
Nokia 2110	1994	The phone that popularized the Nokia ringtone. Still registers on 2G GSM.
Motorola StarTAC	Jan 1996	First clamshell in history. US variants were dual-mode AMPS/TDMA (dead). GSM international variants still work in 2G countries.
Nokia 8110 ("banana phone")	1996	Slider, starred in The Matrix. Still works on 2G GSM.
Nokia 6110	1997	First phone with Snake. 2G GSM, still alive where 2G lives.
Nokia 5110	1998	Swappable colored shells, indestructible. Monochrome icon.
Nokia 3210	1999	160 million units sold. Still registers in 2G markets.
Nokia 3310 (original)	2000	126 million units. Still the benchmark for "indestructible phone." 2G GSM, still usable in 2G markets.
Nokia 8210	1999	Tiny candybar, fashion-market hit. 2G GSM.
Ericsson T28	1999	Ultra-thin flip, active-flip mechanism. 2G GSM.
Nokia 7110	1999	First WAP browser phone. Also the actual Matrix phone (not the 8110). 2G GSM.
Nokia 6210	2000	Business candybar. 2G GSM tri-band.
Sony Ericsson T68i	2001	First color-screen mainstream phone. 2G GSM.
Nokia 8910	2002	Slider, titanium housing. 2G GSM.
Nokia 6310i	2002	Legendary business phone, weeks of battery. Still used by pilots.
Sony Ericsson T610	2003	Color camera phone explosion. 2G GSM.
Nokia 1100	2003	Best-selling phone in history (~250 million units). 2G GSM, alive anywhere 2G runs.
Motorola Razr V3	Nov 2004	The icon. 2G GSM quad-band. Alive in Germany, Mexico, much of Africa and SEA.
Nokia N95	2007	The original smartphone-before-iPhones-won. 2G/3G. Works where either still runs.

Why 2G GSM refuses to die: millions of industrial M2M devices — vending machines, alarm systems, car telematics, agricultural sensors, elevator emergency phones, gas meters — were deployed in the 2000s speaking only 2G. Ripping them all out costs more than keeping the network alive, so the EU mandated 2G GSM preservation until at least 2028 in many countries. Phreaks and hobbyists benefit as a rounding error. A 1992 Nokia 1011 in Germany is making calls in 2026 because a 2005 vending machine in Munich is still taking card payments over the same protocol.

Tier 3 — Technically powers on, but no network anywhere

Pure museum pieces. These phones used 1G analog (AMPS, NMT, TACS) or early digital protocols (iDEN, TDMA, original CDMA) that have been shut down globally. They power on, the screens light up, the hardware is perfect — but there is no base station on Earth that will talk to them in 2026.

Phone	Year	Dead protocol
Motorola DynaTAC 8000X	1983	AMPS (1G analog). First commercial cellular phone. $3,995 at launch. 30 min talk time, 10 hr recharge.
Mobira Cityman 900	1987	NMT-900. The "Gorba" phone — Gorbachev used one on TV in 1987, giving it the nickname.
Motorola MicroTAC 9800X	1989	AMPS. First "pocket" flip phone. Dead everywhere since 2008.
Motorola Bag Phone	1988	AMPS. The car-trunk briefcase phone. Pure 80s cop-show prop now.
IBM Simon	1994	Often called "the first smartphone." AMPS analog, touchscreen, apps. Dead network, 30 years early to the party.
Nokia 9000 Communicator	1996	2G GSM 900 only — technically could work on a 2G GSM 900 network, but the 900 band alone is rare now. Borderline case between Tier 2 and Tier 3.
Motorola StarTAC (US variant)	1996	AMPS/TDMA. Dead since 2008.
Nextel i1000plus	1999	iDEN (Motorola proprietary). Network shut down June 30, 2013.
Kyocera QCP-6035	2000	First Palm OS smartphone. CDMA 1xRTT. Dead since the CDMA shutdowns.
BlackBerry 5810	2002	2G GSM + voice via wired headset. Could technically work in Tier 2 markets if you had a headset.
Sidekick (Danger Hiptop)	2002	2G GSM plus Danger's proprietary data service — service died with Microsoft's Danger shutdown in 2011.

The headline answer

The oldest consumer cell phone that can still make a real call on a real commercial network anywhere in the world in 2026 is the Nokia 1011 (November 1992). That's a 34-year-old piece of hardware running a 35-year-old protocol, still participating in modern telecom infrastructure. If you narrow the question to "US carriers specifically," the answer jumps forward 22 years to the Samsung Galaxy S4 / iPhone 6 (2013–2014). Same planet, same year, two completely different floors — entirely because of which networks got sunset and which got preserved.

Practical buying tips for vintage-phone hobbyists

Batteries are the real problem, not the phones. NiCd and early Li-ion packs from the 90s are long dead. Most vintage Nokia batteries can be replaced with compatible modern cells (BL-5C, BL-4C, etc. are still manufactured).
Quad-band GSM (850/900/1800/1900) is what you want. It works in both European (900/1800) and American (850/1900) markets — future-proofs you for whichever 2G network outlives the others.
Check the frequency bands before buying. A Razr V3 sold in the US in 2005 is often 850/1900 only and won't work on European 900/1800 2G networks. The "V3" branding hides major regional differences.
SIM card size. Phones pre-2010 use full-size SIMs. Modern carriers issue nano-SIMs. You'll need a nano→standard SIM adapter, cheap and widely available.
Prepaid SIMs in 2G markets are the easiest way to test a vintage phone. Telcel (Mexico), Vodafone (Germany), Orange (France), Movistar (various). Walk into a shop, get a SIM for under $10, activate, call.
Private GSM base stations (Osmocom, YateBTS, running on a HackRF or USRP) let you light up vintage phones inside a Faraday cage for display or testing. Legal in the US only if the RF is fully contained — no leaking, no unlicensed transmission into shared spectrum.

06 · Privacy & Surveillance Deep Dive

The GPS Myth (section 04) is the primer — this section is the encyclopedia. What your carrier knows about you, what your apps know, which attacks are realistic, and what actually changes when you swap a smartphone for a dumb phone. Written with intellectual honesty: no "this device makes you invisible" hype, no "they're watching your every thought" paranoia.

Three independent surveillance layers (confusingly conflated)

Layer	Who sees it	Defeatable by a dumb phone?
1. Carrier / network — tower registration, voice routing, SMS, location (cell ID + E911)	Your carrier; accessible by law enforcement via subpoena or CALEA real-time tap	No. Required by federal law.
2. App / OS layer — ad SDKs, background services, clipboard reads, mic/cam permissions, contact book upload	Thousands of third parties (ad networks, data brokers, app developers)	Yes, mostly. Dumb phones have no app ecosystem.
3. Radio / RF layer — IMSI catcher (Stingray) captures, SS7 routing exploits, baseband bugs, rogue femtocells	Well-funded attackers (LE, state actors, organized criminals with DIY HackRF setups)	Mostly no — this is a hardware-radio problem, not a software problem. A dumb phone still registers with a rogue tower.

What your carrier knows (layer 1 detail)

IMSI (International Mobile Subscriber Identity) — a 15-digit number identifying your SIM. Carrier binds it to your real identity at activation.
IMEI (International Mobile Equipment Identity) — 15-digit number burned into the phone's baseband. Carrier logs this along with every tower registration — if you swap SIMs but keep the phone, the IMEI ties sessions together.
MSISDN — your phone number.
ICCID — 19–20 digit SIM serial.
Tower registration log — every tower your phone talks to, with timestamp. Carriers retain this 12–18 months (sometimes much longer under CALEA archiving). This is the cell site location information (CSLI) that shows up in criminal cases.
E911 position fix — lat/long accurate to 50–300 m, delivered to PSAP on any 911 call. Carriers also have this for non-emergency calls; law enforcement access varies by jurisdiction.
Call detail records (CDRs) — who you called, who called you, duration, tower IDs at each end. Retained years. Historical subpoena-accessible.
SMS content — retained by many carriers for days to weeks. Subpoena-accessible where logged.
Roaming and cross-border data — your home carrier knows when you connect to foreign networks and shares that with the foreign carrier.

The radio-layer threats (layer 3 detail)

IMSI catcher / Stingray

A rogue cell tower. Transmits a stronger signal than the real towers around you, forces your phone to register, captures your IMSI, and often downgrades the call to unencrypted 2G. Used by US law enforcement (Harris StingRay, KingFish, Hailstorm). Now also used by foreign intelligence services and, via HackRF + YateBTS, by hobbyists and criminals. Cost of building one dropped from $50,000 (Harris) to ~$300 (HackRF) over ten years.

Defense: SnoopSnitch (Android), AIMSICD, Cell Spy Catcher — detect some catchers. GrapheneOS has some hardening. VoLTE-only phones make downgrade attacks harder. Faraday bag when truly paranoid.

SS7 attacks

Signaling System 7 is the 1970s-designed backbone that routes calls and SMS between carriers. It has essentially no authentication between carriers. If you control any SS7 node (some tiny Cameroonian carrier, for example) you can query any phone on any other network: location lookups, call forwarding, SMS interception (which breaks SMS 2FA).

Defense: Stop using SMS for 2FA (use a TOTP app or hardware key). Carriers have partially deployed "SS7 firewalls" post-2016 but coverage is spotty.

Baseband exploits

The baseband processor in every phone runs a closed-source proprietary RTOS (Qualcomm, MediaTek, Samsung Exynos). It has full access to the main CPU, microphone, GPS, and storage. Vulnerabilities in it — like the Broadcom wi-fi bug Project Zero found in 2017 or the Qualcomm bug CVE-2020-11261 — can give a remote attacker root over cellular signaling alone. You don't get to open an attachment to be compromised.

Defense: keep phone OS patched. Old phones stop getting baseband patches; they're more vulnerable, not less.

Silent SMS / ping

A "Type 0" SMS that doesn't display to the user but forces the phone to respond, revealing its cell ID. Used by law enforcement to locate phones without opening a case or generating a dialed call.

WiFi/Bluetooth tracking

Even with cellular off, your phone's WiFi probes (looking for known networks) and Bluetooth LE beacons advertise a unique MAC. Retail stores, airports, and city infrastructure log these. MAC randomization (iOS 14+, Android 10+) helps but isn't universal.

What apps know (layer 2 detail)

Precise GPS whenever you grant any app location. Often shared with ad SDKs.
WiFi networks scanned (even without connecting) — location-correlatable via Skyhook / Google's WiFi-to-location DB.
Bluetooth devices seen — derives social graph (whose phones are near yours?).
Sensor data — accelerometer, gyro, barometer; can reveal activity, elevation, steps, even keyboard inputs from vibration side-channels.
Microphone + camera — either explicitly (Meta, TikTok), or via permissions granted once and never revisited.
Clipboard — TikTok famously read clipboard every few seconds until called out in iOS 14.
Contact book + call log — asked for at install, uploaded wholesale. Your name is in everyone else's phone even if you don't have a phone.
Photos metadata — EXIF includes GPS, timestamp, device model.

The practical privacy ladder (realistic)

Tier	Device	What you defeat	What you don't
1	Stock iPhone / Pixel	Some app tracking (iOS ATT), with effort	Carrier, SS7, IMSI catcher, baseband, app surveillance by default
2	GrapheneOS on Pixel	Most app tracking, isolated baseband, hardened sandbox	Carrier, SS7, IMSI catcher, baseband (mitigated not eliminated)
3	Light Phone / Punkt MP02 / Sunbeam F1	All app tracking (no apps)	Carrier, SS7, IMSI catcher, baseband
4	Prepaid burner bought with cash, rotated monthly	App tracking + identity linkage	SS7, IMSI catcher, baseband; also inconvenient
5	No phone + Faraday bag for electronics	Everything phone-related	License plate readers, CCTV, credit card, friend-of-a-friend tagging, workplace
6	Phone + SDR + knowledge	Can detect Stingrays, analyze your own RF, run a private GSM test cell	Physical-world everything

The honest lesson: a dumb phone is a huge win against layer 2 (apps) and an inconvenience against nothing. It doesn't change layer 1 (carrier) or layer 3 (radio) at all. Most privacy-conscious buyers are really buying focus — escape from notifications — and getting layer 2 privacy as a bonus. That's still worthwhile. It's just not what the marketing claims.

07 · Carrier Bands, SIM Types & Compatibility

A phone works only if (a) its radio supports the right frequency bands for your carrier, (b) it supports VoLTE (since all US voice is VoIP over LTE now), and (c) the carrier hasn't blocked its IMEI. This section is the reference you look at before buying any phone that doesn't explicitly say "certified on Verizon/AT&T/T-Mobile."

US LTE bands that matter

Band	Freq	Carrier use
B2	1900 MHz	AT&T, T-Mobile (urban)
B4 (AWS)	1700/2100 MHz	T-Mobile, AT&T, Verizon
B5	850 MHz	AT&T, US Cellular
B12	700 MHz	T-Mobile (rural)
B13	700 MHz	Verizon primary LTE
B14	700 MHz	FirstNet (AT&T public safety)
B17	700 MHz	AT&T (subset of B12)
B25	1900 MHz	Sprint legacy (now T-Mobile)
B26	850 MHz	Sprint legacy (now T-Mobile)
B41	2500 MHz	T-Mobile (ex-Sprint, high-capacity urban)
B66	1700/2100 MHz (extended AWS)	T-Mobile, AT&T, Verizon
B71	600 MHz	T-Mobile (rural coverage)
n41, n71, n77, n260	various	5G (NSA + SA)

The European import trap: Nokia's 2720 Flip, 3210 2024 revival, and many Asian-market dumb phones are 4G LTE only on European bands (B1/3/7/8/20/28). They are missing B2/B4/B12/B13/B17 — the bands US carriers need. They'll power on and scan for signal forever. Always check the band spec before importing.

VoLTE — the actual gatekeeper

Since ~2022, all three major US carriers have shut down 2G and 3G voice. That means your phone can have perfect LTE data and still be unable to make a phone call. Voice now flows as VoIP over LTE (VoLTE) or 5G (VoNR). Phones need:

VoLTE radio support — the chipset
IMS (IP Multimedia Subsystem) firmware — the software stack
Carrier whitelist — Verizon specifically refuses to activate phones not on its approved IMEI list, even if the VoLTE stack is technically compatible. AT&T and T-Mobile are more permissive.

SIM types in 2026

Type	Size	Used for
Standard / mini-SIM	25 × 15 mm	Phones 2000–2010
Micro-SIM	15 × 12 mm	Phones 2010–2014
Nano-SIM	12.3 × 8.8 mm	Most phones 2014–present
eSIM	embedded chip	iPhone 14+ (US: eSIM only), most new 2024+ flagships
iSIM	integrated into SoC	Qualcomm Snapdragon 8 Gen 2+ spec, rare consumer use

eSIM privacy consideration: eSIM profiles are installed via QR code and tied to the phone's EID (eSIM ID). Re-provisioning requires carrier action — you can't simply move an eSIM between phones like a physical SIM. Loss of a phone with eSIM is slower to recover.
Dual-SIM strategies (privacy): keep your "real-name" SIM + a prepaid cash-bought burner SIM in one phone. Use the second for accounts you don't want linked to your identity. Many unlocked phones support dual-SIM; iPhones support one physical + one eSIM in most markets.

Carrier certification reality

Verizon — strictest. Maintains a whitelist. A compatible phone that's not on the list won't activate. verizon.com/byod has the check tool.
AT&T — moderate. Publishes compatibility but generally allows unlisted IMEIs if bands + VoLTE check out.
T-Mobile — most permissive. Unlocked phones with matching bands + VoLTE generally just work.
MVNOs (Mint, Visible, Google Fi, Cricket, US Mobile, etc.) — inherit the underlying carrier's rules. Visible = Verizon, Mint = T-Mobile, Cricket = AT&T.

Unlocked vs carrier-locked (buying advice)

Always prefer unlocked when possible. Locked phones are cheaper upfront but lock you to the selling carrier until formally unlocked.
US law (CRAP Act, 2014) requires carriers to unlock phones after you finish paying them off. Unlocking takes 2–14 days. Prepaid phones have separate unlock rules (usually 1 year of service).
Unlocking does not add bands. A Verizon-only Kyocera phone with B13 only will still be Verizon-only after unlocking.

08 · Phone Anatomy, Failure Modes & Restoration

You bought a vintage Razr V3 at a flea market. It won't power on. Can you fix it? Often yes. This section covers the common failure modes and restoration paths for phones from the 1990s through 2015-era smartphones.

The six things that kill an old phone

Failure	Symptoms	Fix
Dead battery	Won't power on, even on charger; powers on briefly then dies	Replace. Most 2000–2012 phones have user-replaceable Li-ion packs; $5–$15 on eBay. Don't trust 20-year-old unused batteries — lithium self-discharges and bulges.
Corroded contacts (battery terminal, charge port)	Intermittent charging, ghost touches, won't boot	Clean with 99% isopropyl alcohol and a soft brush; lightly scrape oxidation with a wooden toothpick. No metal on metal.
Charge port wear (micro-USB, 30-pin, mini-USB)	Works only at specific angles, must wiggle cable	Replace port. $5–$20 part, requires teardown + soldering. Or use magnetic charge adapters as a workaround.
Screen failure	Backlight dead, LCD bleeding, touch digitizer unresponsive	Replace as an assembly. LCD kits on iFixit, ParsonFix, specialty eBay sellers. Razr V3 internal screens were especially prone to ribbon-cable failure at the hinge.
Dead flash / NAND	Bootloops, stuck at logo, "phone not activated" error that can't clear	Often unfixable without JTAG reprogramming. Occasionally solvable with a firmware reflash (Motorola RSD Lite, Odin for Samsung, Fastboot for Android).
Water / humidity damage	Corrosion visible in teardown; stuck buttons; erratic behavior	Disassemble, flood with 99% IPA, ultrasonic bath if possible, dry 48 hrs, reassemble. Ricedontics is a myth; alcohol displaces water.

Restoration workflow (any 2000s–2010s phone)

Inspect externally. Look for corrosion in battery compartment, SIM slot, charge port. Check screen for cracks / burn-in.
Open the back. Pull battery (if user-replaceable). Check for bulging — if bulged, do not use. Dispose at a battery recycler.
Inspect the battery compartment contacts. Clean with IPA + toothpick.
Test with a known-good battery. eBay sellers often list working replacements for popular phones ($8–$15).
Charge for 2 hours before power-on. Some charge controllers need a minimum voltage before allowing boot.
If it boots: check IMEI (*#06#), check menu, check SIM detection. If a 2G/3G phone, note the IMEI and check it's not blacklisted at imeipro.info.
If it doesn't boot: try external-power mode (connect charger without battery). Many phones will show a charge icon if the main board is alive but the battery circuit is dead.
If nothing: teardown. iFixit.com has guides for most phones 2007+. Older phones: search YouTube for "[model] teardown."

Phones with replaceable batteries (nostalgia-restorer's list)

Any phone with a user-replaceable battery is dramatically more restorable. By generation:

All pre-2013 phones — virtually all had removable backs. Samsung Galaxy S through S5, iPhone 4/4S (difficult but doable), every Nokia, every Motorola Razr, every BlackBerry.
Exceptions (already sealed pre-2013): iPhone 5 (sealed 2012), HTC One M7 (sealed 2013).
2014+ rugged phones that kept removable batteries: Kyocera DuraXE / DuraXV series, Sonim XP-series, Samsung Galaxy Xcover, CAT S22 / S62.
2024+ new rugged flips with removable batteries: Sunbeam F1 Orchid, some TCL Flip models.

Spare parts sources

iFixit (ifixit.com) — parts, tools, guides for common phones.
RepairsUniverse — screens, digitizers, batteries, charging ports.
eBay — the only realistic source for truly obscure parts (Razr V3 flex cables, Nokia 8810 battery).
AliExpress — bulk cheap replacement batteries and ribbon cables; quality variable.
ImprintIndustries / ParsonsFix — boutique retro-phone restoration shops.

The Razr V3 restoration specifics

Battery: BR50 (OEM) or BR56 (higher capacity aftermarket). $8 on eBay.
Hinge ribbon cable: notorious failure point. Repair kits available but require microsoldering.
Internal LCD: OEM replacements getting rare. Complete motherboard+LCD assemblies sell for $30–$60.
Charge port: mini-USB (original) or replaced-mod to micro-USB by hobbyists.
Firmware: Original firmware is on an internal ROM. Can be reflashed via RSD Lite + a Motorola USB cable if you have a firmware file. (p2kman.forumfree.it archive.)

09 · Related Comms Tech — Alternatives to the Cell Phone

The phone isn't the only way to communicate, and sometimes it's the worst way if your goal is privacy, resilience, or reach. These are adjacent technologies that deserve space in any phreak-adjacent museum.

Pagers

Yes, still sold, still worth it in specific niches. Motorola, Unication, Apollo all make 2026-current pagers. Used by hospitals, nuclear plants, Secret Service, most US emergency services, Orthodox Jewish communities on Shabbat. One-way (receive only) or two-way. Frequency-dedicated (POCSAG, FLEX) on separate carrier infrastructure from cell. Privacy note: pager networks are unencrypted — anyone with an RTL-SDR and pdw software can read every page in range. Don't page sensitive info.

Walkie-talkies (FRS / GMRS / MURS)

Service	Freq	Power	License
FRS (Family Radio Service)	462–467 MHz	2 W max	No license
GMRS (General Mobile Radio Service)	462–467 MHz	50 W max	$35 / 10 yr FCC license, family covered
MURS (Multi-Use Radio Service)	151–154 MHz	2 W	No license
CB (Citizens Band)	27 MHz	4 W AM / 12 W SSB	No license

Uses: road trips, convoys, camping, neighborhood mesh for emergencies, kids-away-from-parents radios. Completely outside the cell system — no IMSI, no carrier log, no tower registration.

Amateur radio (HAM)

Licensed service, much wider frequency privileges. Three US license classes (Technician, General, Extra). Voice, digital modes (Winlink, FT8, JS8Call), repeater networks. Privacy caveat: HAM operation is explicitly public — encryption is prohibited in most bands (you must identify by callsign every 10 minutes). It's a community tool, not a privacy tool. But it's unmatched for disaster resilience.

Satellite phones

Iridium — 66-satellite LEO constellation, global coverage including poles. Iridium 9575 Extreme / GO exec, Iridium GO! hotspot. $1,000–$1,600 hardware + $50–$150/mo service.
Thuraya — mid-latitude GEO coverage, cheaper than Iridium, no polar coverage.
Inmarsat — enterprise/maritime.
Globalstar — US/Americas focus; cheaper, less global.

Privacy: sat phone traffic still goes through a carrier and is legally interceptable. But the tower your phone is registering with is 600 km up and you're not in its cell log next to a known city.

Satellite messengers (SMS-style)

Garmin inReach — Mini 2, Messenger, Explorer+. Uses Iridium. Two-way text + SOS. $15–$65/mo plans.
Zoleo — similar, cheaper tiers.
ACR Bivy Stick — same market.
Apple Satellite Connectivity — built into iPhone 14+, SOS only (free for 2 years), US/CA/EU coverage via Globalstar.
Android Satellite SOS — Pixel 9+ and some Samsung S24+, rolling out.

Meshtastic / LoRa mesh

Open-source peer-to-peer mesh messaging over LoRa (long-range low-power radio) at 915 MHz (US ISM band). Hardware: ~$40 LilyGo T-Beam or RAK Meshtastic node, optional paired phone app. Range: 2–8 km node-to-node, extending via mesh forwarding to tens of km in the right terrain. No carrier, no SIM, no cell tower, no account. Works during hurricanes, earthquakes, festivals, protests. Hobbyist / protest-adjacent community around it. The modern equivalent of phreak-era packet radio in spirit.

CBRS (Citizens Broadband Radio Service)

3.5 GHz band shared with US Navy radar. Enables private LTE/5G networks without carrier involvement. Used by enterprises, universities, industrial sites. Hobbyist deployment with Magma, Open5GS, srsRAN, YateBTS is possible but requires an SAS (Spectrum Access System) registration. Phreak-adjacent because it lets you run your own cell network.

Private GSM (ultra-phreak)

YateBTS, OpenBTS, OsmoBTS paired with a USRP / HackRF / BladeRF SDR lets you stand up a private GSM cell. Vintage 2G phones register with it. Legal in the US only inside a Faraday enclosure (not leaking to licensed spectrum). Primarily used for museum displays, vintage phone restoration testing, and academic research. The 2026 Faraday-phreak aesthetic.

Field phones / POTS (wired)

Landlines aren't dead. AT&T's copper landline network is being decommissioned (target: 2029 in most states) but VoIP-over-fiber landlines (Spectrum, Xfinity, CenturyLink) continue. A home with a landline can't be IMSI-caught, SS7-attacked, or cell-tracked. It's the most boring privacy win of all.

10 · SDR & Phreaking Hardware Reference

The hobbyist's radio-exploration kit. What's available, what it does, legal considerations.

Software-defined radios

Device	Freq range	Price	What it does
RTL-SDR v4	500 kHz – 1.75 GHz	$40	Receive-only. The entry-level SDR. Listen to ADS-B airplanes, POCSAG pagers, FM radio, ham bands, unencrypted police, weather satellites.
HackRF One	1 MHz – 6 GHz	$300	TX + RX, half-duplex. The tool for the full 2G band. Can run YateBTS GSM base station in test mode.
LimeSDR Mini	10 MHz – 3.5 GHz	$180	Full duplex TX/RX. Slightly lower freq ceiling than HackRF but both sides can run at once.
BladeRF 2.0 micro	47 MHz – 6 GHz	$500–$900	Full duplex, higher quality than HackRF. Nuand-made, US company.
USRP B200mini	70 MHz – 6 GHz	$750	Academic / research grade. Ettus Research (now NI).
USRP X310	DC – 6 GHz	$5,000+	Commercial-grade. What NSA uses. Not a hobbyist purchase.

Software stacks

GNU Radio — the foundational open-source SDR toolkit. Graph-based signal flows.
gqrx / CubicSDR / SDR++ — spectrum analyzer / waterfall GUIs for casual listening.
YateBTS — GSM base-station stack. Stand up a private 2G cell.
OpenBTS / OpenBSC / OsmoBSC — open-source GSM stacks, various flavors.
srsRAN (srsLTE) — open LTE / 5G NR stack. Private LTE cells.
Open5GS — 5G core network stack.
Kismet — WiFi/Bluetooth/SDR sniffer.
Wireshark — packet analyzer with GSMTAP support for GSM decoding.
pdw — Paging Decoder Win, reads POCSAG pagers in real time.
IMSI-Catcher detectors: SnoopSnitch (Android), cellmap.app, AIMSICD.

Hardware for the retro-phreak bench

HackRF + Portapack H2 — HackRF in a portable case with a screen. Field kit for RF exploration.
Flipper Zero — sub-GHz TX/RX, RFID, NFC, iButton, IR, BadUSB in a tamagotchi shell. Not for cellular, but complements the kit.
Faraday bag / cage — required for legal private GSM operation. Mission Darkness, Silent Pocket, Defender Shield.
Multimeter + soldering iron — the restoration-bench basics. Hakko FX888D, Fluke 87V, anti-static mat.
USB JTAG / ISP programmer — for reflashing baseband / bootloaders on bricked phones. JTAGulator, RIFF Box, Octoplus.

Legal considerations (US)

Receive-only is fine in all ISM/shared bands. Listening to public-safety, ham, FM, ADS-B is 100% legal.
Receiving encrypted content without authorization is a 1986 ECPA violation. You can decode it locally for research, but publishing it is a different matter.
Transmitting on licensed bands without a license is illegal FCC Part 15 / Part 95 / Part 97 depending on band. IMSI-catcher deployment against third parties is a federal crime regardless of jurisdiction.
Faraday-caged private GSM for personal research is explicitly legal (the RF doesn't escape).
Part 15 ISM experimentation (915 MHz LoRa, 2.4 GHz WiFi) is low-power open.

11 · Phone Brand Reliability & Privacy Tiers

Twenty-five years of data have sorted phone manufacturers into a stable hierarchy. Use this when buying vintage or modern dumb/rugged phones.

S-tier — build quality + privacy posture

Punkt (Swiss) — MP02 dumb, MC02/MC03 privacy smartphone (AphyOS, no Google services). Philosophical privacy focus by design.
Light Phone (US, NY) — Light Phone II/III. Custom LightOS. No apps, no browser, no social by architecture.
Mudita (Poland) — Pure (dumb e-ink), Kompakt (e-ink smart-dumb). Focus-first minimalism.
GrapheneOS-on-Pixel (Google hardware, de-googled OS) — technically highest-privacy smartphone. Not a brand but a stack.

A-tier — proven reliability

Nokia (HMD Global) — still shipping feature phones (2660, 2780, 3210 revival, 6300, 8000). KaiOS or S30+. Built on decades of engineering.
Sonim (US, rugged/industrial) — XP3plus, XP5plus, XP10. MIL-SPEC ratings. PTT-heavy. Used by utilities, FirstNet, field services.
Kyocera (Japanese rugged) — DuraXE Epic, DuraXA Equip, DuraXV Extreme+. Rugged flips with AOSP Android underneath (tracking caveat).
Motorola (Lenovo-owned) — legacy Razr brand, Moto G budget line. Razr 40 / Razr 2024 as modern foldable.
Sunbeam (US) — F1 Horizon, F1 Pro. Amish/Plain community phones. Truly featureless by design. No browser, no apps, no camera options.

B-tier — functional mainstream

Samsung — Galaxy S5 and up all VoLTE. Decent longevity on flagships. Bloatware-heavy.
Apple — iPhone 6+ all VoLTE. Long OS support (7+ years). Privacy marketing is partly genuine (ATT, on-device ML) partly marketing.
TCL / Alcatel — budget KaiOS flips (Flip 3, Flip 4 5G). Cheap, functional, limited ecosystem.
HMD — separate from Nokia branding for newer projects (Barbie phone, Boring Phone).
Unihertz — niche forms: Titan (QWERTY), Jelly Star (tiny), Atom (rugged mini). Full Android.

C-tier — caveats

Orbic, Schok, Plum, AGM — budget Android flips/bars. Variable build, limited carrier cert.
BlackBerry (BB Ltd licensee phones) — brand zombie. KEY2 etc. ran Android, support ended 2022.
CAT (Caterpillar-branded) — rugged Android, OK but Bullitt Group (licensor) has been inconsistent.

D-tier — avoid

Gray-market European candybars without US band support.
Chinese no-name "mini" phones from eBay/AliExpress — often have hidden Android underneath with full tracking, missing US bands, no VoLTE.
"Stealth / spy" phones from sketchy sites — usually rebadged budget Android with fake-secure marketing.

The two questions that matter when buying

Does it have the right US LTE bands + VoLTE + IMS? (If no — doorstop, regardless of brand.)
What OS is really underneath? Many "dumb" phones are stripped Android with the launcher hidden. That still means app SDKs, still means background services, still means tracking attack surface. The Kyocera DuraXE, for example, is Android inside. The Sonim XP3plus is Android. If this matters to you, verify before buying.

12 · Purchase Guide (with OPSEC)

Where to buy, and — if you care about OPSEC — how to buy.

Where to buy new

Vendor	Best for	Notes
Dumbwireless.com	Curated dumb phones, privacy focus	Small specialist retailer; thoughtful curation.
B&H Photo	Unlocked dumb/rugged phones	Reliable, legit prices.
Amazon	Mainstream; counterfeit risk	Avoid third-party sellers for anything important.
Best Buy	Samsung/Apple, in-store inventory	Good return policy.
Punkt.ch	Punkt MP02, MC02, MC03 direct	Swiss company; ships globally.
Thelightphone.com	Light Phone II/III direct	NY company.
Mudita.com	Mudita Pure/Kompakt direct	Polish company.
Sunbeamwireless.com	F1 Horizon / F1 Pro	Direct or via authorized Plain-community dealer.
Sonimtech.com	Rugged industrial	Also sold by carriers directly.
Carrier websites	Anything carrier-certified	Guaranteed to activate, but often locked.

Where to buy used / vintage

eBay — best selection of vintage; verify IMEI not blacklisted; check seller feedback.
Swappa — used-phone marketplace with carrier/ESN verification built in.
Facebook Marketplace / Craigslist — for cash deals; meet at a coffee shop.
Estate sales — the best vintage phone pricing if you know what you're looking at.
Goodwill / Savers — occasional finds at $3–$15.
Reddit r/dumbphones, r/phreaking, r/retrophones — community sales.

OPSEC-conscious buying (the burner playbook)

If your reason for owning a dumb phone is privacy from layer-2 (apps), none of this matters — just buy normally. If you care about not being linked to the device at all, the steps matter:

Pay cash. At Walmart, Target, CVS, 7-Eleven, Best Buy. Don't use a rewards card, don't log a loyalty number.
Physical store, not online. Online purchase links your shipping address + payment method to the IMEI.
Activate prepaid with cash at the store or via prepaid refill card (also cash). TracFone, SafeLink, Net10, Simple Mobile, Boost prepaid, Cricket prepaid.
Use a new phone number — don't port an old one.
Don't link a real email. Use a ProtonMail or SimpleLogin alias for account recovery.
Activate and use from a different location than your home — the first tower the device registers with is logged.
Pair with Signal / Session / SimpleX — don't rely on carrier SMS.
Rotate — a "burner" you use for six months is not a burner. Plan a retirement cadence.
Dispose by destruction — SIM cut, phone smashed, both dropped in different trash bins in different cities. (Do not attempt to resell.)

Price anchors (2026)

Item	New price	Used price
Nokia 2780 Flip (US-certified KaiOS)	$80–$90	$40–$60
Light Phone II	$299	$150–$200
Light Phone III	$599	Rarely on resale yet
Punkt MP02	$379	$200–$250
Sonim XP3plus	$250–$300	$100–$150
Kyocera DuraXE Epic	$250–$300	$80–$120
Motorola Razr V3 (vintage, 2004)	—	$20–$80 (nostalgia only, bricked in US)
Nokia 3310 (vintage, 2000)	—	$15–$50
Nokia 1011 (first mass-produced GSM, 1992)	—	$200–$800 (trophy piece)
Sidekick (Danger Hiptop, 2002)	—	$60–$200
BlackBerry Bold 9000 (2008)	—	$30–$80

13 · Glossary

Term	Definition
2G / 3G / 4G / 5G	Cellular generations. 1G analog, 2G GSM/CDMA digital voice, 3G UMTS/EV-DO adds data, 4G LTE all-IP, 5G NR adds higher frequencies + latency improvements.
AMPS	Advanced Mobile Phone System — the original US 1G analog cellular (1983–2008).
APN	Access Point Name — carrier-specific config that tells the phone how to connect to the data network.
Baseband	The cellular radio processor — closed proprietary firmware, separate from the main OS. Responsible for all RF and SIM handling.
BYOD	Bring Your Own Device — carrier term for activating an unlocked phone on their network.
CALEA	Communications Assistance for Law Enforcement Act (1994). Requires carriers to provide wiretap access points.
CBRS	Citizens Broadband Radio Service. 3.5 GHz band shared with Navy; enables private LTE.
CDMA	Code Division Multiple Access. The 2G/3G standard used by Verizon and Sprint in the US. Dead 2022.
CDR	Call Detail Record — who called whom, when, how long, which towers. Retained by carriers.
Cinavia	(not phone-related, from the CD/DVD museum)
CSLI	Cell Site Location Information — the carrier's log of which towers your phone has talked to. Subpoena-accessible for criminal investigations.
DeCSS	(DVD DRM break, not phone)
eSIM	Embedded SIM. Software-provisioned subscriber identity, no physical card.
FCC Part 95	Rules for personal radio services (FRS, GMRS, CB, etc.).
FirstNet	AT&T-operated public-safety LTE network on Band 14. Priority access for emergency responders.
FRS	Family Radio Service — 462–467 MHz walkie-talkie band, no license required, 2 W max.
GMRS	General Mobile Radio Service — walkie-talkie band, requires $35 FCC license (family covered).
GSM	Global System for Mobile — the dominant 2G digital standard worldwide. Dead in the US since 2024.
HackRF	Open-source SDR (1 MHz – 6 GHz). ~$300.
HAM	Amateur radio. Licensed (Tech/Gen/Extra in US).
ICCID	Integrated Circuit Card Identifier — SIM card serial number, 19–20 digits.
iDEN	Integrated Digital Enhanced Network — Nextel's push-to-talk cellular system. Shut down 2013.
IMEI	International Mobile Equipment Identity — 15-digit phone hardware serial. Logged every tower registration.
IMS	IP Multimedia Subsystem — the IP-based voice/SMS framework used by VoLTE.
IMSI	International Mobile Subscriber Identity — 15-digit SIM identifier bound to subscriber identity.
IMSI Catcher	Rogue cell tower that captures IMSIs. Also called Stingray (Harris brand).
KaiOS	Linux-based OS for feature phones (descended from Firefox OS). Supports JavaScript apps including WhatsApp, YouTube, Google Maps.
LTE	Long-Term Evolution — 4G standard.
LTE-M / NB-IoT	Low-power LTE variants for IoT devices, often on old 2G spectrum refarmed.
MCC / MNC	Mobile Country Code / Mobile Network Code. The two numbers identifying your home carrier (US T-Mobile = 310/260).
MSISDN	Mobile Station ISDN — your phone number.
MVNO	Mobile Virtual Network Operator — carrier that leases capacity from a host carrier (Mint, Visible, Cricket, etc.).
MURS	Multi-Use Radio Service — 151–154 MHz unlicensed 2 W band.
POCSAG / FLEX	Pager transmission protocols.
PSAP	Public Safety Answering Point — 911 dispatch center. Receives E911 location.
PTT	Push-to-Talk. Walkie-talkie-style instant voice over cellular.
RTL-SDR	$40 USB SDR based on a cheap TV tuner chip. Entry-level radio exploration.
SA / NSA	Standalone / Non-Standalone — 5G deployment modes. NSA uses 4G core + 5G radio; SA is pure 5G core.
SDR	Software-Defined Radio.
Silent SMS / Ping	Type-0 SMS that doesn't display but forces the phone to respond, revealing its cell ID.
Stingray	Harris Corp's IMSI catcher product line. Generic term for any IMSI catcher.
SS7	Signaling System 7 — the 1970s-era protocol between carriers. Notoriously weakly authenticated.
UMTS	Universal Mobile Telecommunications System — 3G standard.
VoLTE	Voice over LTE — VoIP voice over 4G.
VoNR	Voice over New Radio — voice over 5G SA.
VoWiFi	Voice over WiFi — call routing over home WiFi via carrier's IMS.
YateBTS	Open-source GSM base-station stack.

14 · FAQ

Can I use a 2G phone in 2026?

Not in the US. AT&T 2G GSM shut down Jan 2017, T-Mobile 2G GSM shut down April 2024. Still works in parts of Europe, Mexico, much of Africa, Southeast Asia — 2G preserved there for M2M / IoT on refarmed bands, often till 2028 or later.

Can I use a 3G phone in 2026?

No US carrier runs 3G. All shut down by December 2022. Some international markets still have 3G UMTS.

What's the oldest iPhone that still works on US carriers?

iPhone 6 / 6 Plus (Sept 2014). First iPhone with full VoLTE on all major US carriers. iPhone 5s and earlier are bricked in the US.

Does a dumb phone really stop tracking?

It stops app tracking, not carrier tracking. Your carrier still logs your tower, still provides E911 location, still has call detail records. IMSI catchers still work against you. What you gain: no Facebook SDK, no TikTok clipboard read, no AdMob, no 47 background services.

Do modern dumb phones still have GPS?

Almost all of them do. E911 Phase II (2001+) essentially requires it. Nokia 2780, HMD Barbie, Light Phone, Punkt, Sonim, Kyocera — all have GPS chips. The exceptions are a handful of Amish-market phones (Sunbeam F1 family) and imported European 2G candybars that never got updated.

Can I buy a phone without a camera?

Yes, but the selection is small. Sonim XP3plus No-Camera SKU, Kyocera DuraXE No-Camera version, Punkt MP02, Mudita Pure, Easyfone Prime-A6, some Sunbeam F1 variants.

Is it legal to run a private GSM cell at home?

In the US: only inside a Faraday enclosure where the RF is fully contained. Transmitting on licensed GSM spectrum outside a cage without authorization is an FCC violation. A metal-mesh filing cabinet can work as a cheap cage.

What's VoLTE and why do I care?

Voice over LTE. Since the 2G/3G shutdowns, voice calls in the US are VoIP over 4G. Your phone needs both the LTE radio and the VoLTE/IMS firmware stack to make calls. Many older unlocked phones have LTE data but no VoLTE — they can browse but not call.

Will a European Nokia 3210 work in the US?

Probably not. The 2024 Nokia 3210 revival ships with European LTE bands (1/3/5/7/8/20/28) and is missing US bands 2, 4, 12, 13, 17. You'll get a "searching" screen and no signal. The vintage 1999 Nokia 3210 is 2G GSM and won't register on any US network.

What's the best truly camera-less privacy phone?

Punkt MP02 (no camera, no browser, LTE, by design) or Sonim XP3plus No-Camera SKU (rugged, FirstNet-friendly, no camera module). Both are genuinely without a camera, not just disabled.

Can I use my old phone as a WiFi-only device?

Yes — that's a common retirement path. Disable cellular, pull the SIM, use on WiFi for Spotify, Plex, ebook reading, as a kitchen clock or photo frame. Works on any phone with a usable battery.

What's the longest-lasting phone battery I can buy in 2026?

New: Sunbeam F1 Pro or Pro 2 — multi-day standby. Nokia 8000 4G / 225 / 110 — 18-day standby ratings. For Android: Sonim XP3plus, Unihertz Atom XL, CAT S62.

Can I still use my Razr V3 for anything?

As a cultural object, yes — it still snaps, still lights up. As a phone on a US network, no. As a phone on some European or Mexican networks, yes, on 2G GSM, for a few more years.

What's the difference between an unlocked and carrier-locked phone?

A locked phone only accepts SIMs from its original carrier. Unlocked accepts any carrier's SIM whose bands it supports. US law (CRAP Act 2014) requires carriers to unlock phones after you finish paying them off, typically 2–14 days after request.

Are there still any phones with physical QWERTY keyboards?

Yes: Unihertz Titan, Titan Slim, Titan Pocket (full Android + BlackBerry-style QWERTY), Minimal Phone (e-ink Android + QWERTY, 2024 crowdfunded). The BlackBerry brand proper (from BB Ltd.) is dead as of 2022.

What's the smallest smartphone I can buy?

Unihertz Jelly Star (3-inch screen, 2023) or Palm Phone (3.3-inch, 2018, now rare).

Are there privacy phones that aren't Android underneath?

Partially: Punkt MP02 runs a custom Punkt OS (not Android). Light Phone II/III run LightOS (Android base but all Google services stripped + no app install). Sunbeam F1 runs a custom non-Android OS. Mudita Pure/Kompakt run custom MuditaOS. All other "dumb phones" with apps (KaiOS, stripped Android) have an OS underneath that could theoretically host SDKs.

Can I detect an IMSI catcher around me?

Partially. SnoopSnitch (Android, requires root), AIMSICD, cellmap.app, Cell Spy Catcher report probable Stingrays based on tower behavior heuristics. False positives happen. No tool offers a guaranteed detection.

Does airplane mode stop tracking?

It stops your phone from registering with cell towers and (on most phones) turning off WiFi and Bluetooth. That stops cell tracking while it's on. The moment you turn it off, the phone registers again and the gap is visible in CSLI. A Faraday bag is more decisive.

15 · Modern Uses for Old Phones

Not every old phone should go to a landfill. Here's what your 2008 iPhone 3G, 2012 Galaxy S3, or 2004 Razr V3 can actually do today.

Privacy-focused

WiFi-only "dumb-smart" phone. Pull the SIM, disable cellular. Browse on WiFi only — home, cafes. No carrier tracking at all when cellular is off.
Dedicated Signal / SimpleX / Session device. One old phone, one secure-messaging app, nothing else installed. Never log into email or social.
Air-gapped password manager. Old phone, no network, run KeePassDX locally. Manual password entry from glance.
Disposable travel phone. Old phone, fresh prepaid SIM bought at the airport, factory-wipe before returning home.
Faraday-bagged backup. Old phone with essential info, kept in a Faraday bag for emergencies only.

Media / entertainment

Dedicated music player / Plex client. Old phone + wired headphones = the closest thing to an iPod in 2026.
E-reader. Old Android / iPhone with a reading app (KOReader, Libby, Kindle). Battery life on reading-only duty is days.
Dedicated video player. MX Player + sideloaded video files. No ads, no recommendations.
Ham-radio companion. RTL-SDR USB dongle + OTG cable + SDR Touch app.
Cassette-style portable stereo. Old iPod Touch + Bluetooth dongle + small portable speaker = beach box.

Home / practical

Dashcam. Mount on windshield, run AutoGuard or similar continuous-loop recorder. Cheaper than a dedicated cam.
Baby monitor. Pair with a modern phone via Alfred, Presence, or Manything.
Security camera. Same apps. Old phone taped to a window, pointed at the driveway.
Kitchen clock / timer. Permanently mounted on the fridge with a wall-clock face app.
Smart remote / universal remote. Old Android with IR blaster (HTC One, LG G2/3) = universal TV/AC remote.
Home-automation dashboard. Wall-mounted tablet running Home Assistant frontend.
Digital picture frame. Flipboard, SlideShow Pro, or Fotoo app. Fill with family photos.
Workshop music + timer. Dedicated garage/basement/shop phone — Spotify offline, weather, clock.

Work / education

Kids' first phone. Old phone, WiFi-only, with parent-installed apps only (Duolingo, offline games, photos).
Classroom / workshop demo device. Stripped phone that teachers loan to students.
Testing device for app developers. Old phones of various OS versions for compatibility testing.
Focus phone. Leave smartphone at home; carry dumb-phone-mode retired smartphone with only critical contacts.

Museum / display

Shelf piece. Some phones (Razr V3, Nokia 3310, Sidekick, iPhone original, StarTAC) are genuine industrial-design artifacts. Keep one, display under glass.
Faraday-caged private-GSM demo. Pair with HackRF + YateBTS to demonstrate pre-smartphone mobile tech for education.
Functional decoration. Mount a real vintage phone (wall phone, candlestick phone) as art.

16 · Retro & Privacy Projects

Weekend-to-multi-month projects that bring the phreak/privacy spirit into modern practice.

Weekend

Build a Faraday bag. Three layers of aluminum foil + a zip-lock sandwich bag. Tested with an RF meter or a call to a phone inside. Fun DIY before buying the real thing.
Run SnoopSnitch or cellmap.app around your city. Build a personal tower map, flag anomalies. One weekend of driving = a surprising amount of data.
Set up Signal + ProtonMail + SimpleLogin. Create the "minimum-footprint" comms triangle. Migrate your closest circle.
Wipe and repurpose an old phone as a dedicated Signal device (see section 15).
Buy an RTL-SDR and listen to POCSAG pagers. Eye-opening first exposure to RF privacy issues — every hospital page broadcast in clear text.
Start a phone collection shelf. Five iconic phones: Nokia 3310, Razr V3, BlackBerry Bold, Sidekick, iPhone original. All for under $200 on eBay.

Weeks

Restore a vintage phone. Razr V3, StarTAC, Nokia 8810 "Matrix phone" — replace battery, reflash firmware, test on a Faraday-caged GSM test cell.
GrapheneOS on a Pixel. De-google an Android. Keep smartphone utility without the Google surveillance layer.
Dual-SIM OPSEC routine. Set up a "real" identity SIM and a "burner" SIM in one phone. Use the burner for accounts you don't want linked.
Build a dumb-phone cradle for your smartphone. Physical container (jar, box, drawer) where the smartphone lives by default, forcing you to carry only the dumb phone.
Start a HAM license study. Technician exam in 2–4 weeks of casual study ($15 exam). Opens up legitimate RF experimentation.
Set up a Meshtastic node in your home and map your mesh reach. Week-long experiment in the neighborhood.

Months

Full private GSM lab. HackRF + YateBTS + Faraday cage (metal filing cabinet + copper mesh). Document on a blog.
Vintage phone collection with operability testing. 20+ phones, each checked on a test cell, each photographed and catalogued on a personal site.
Document a local scene's phone history. Oral-history project — older phreakers, ex-carrier engineers, retail sales reps at the 2G-sunset era. Publish as a zine or podcast.
Set up a community Meshtastic mesh. Recruit 8–15 neighbors / friends, map coverage, test emergency protocols.
Build a SIM-card museum. Every SIM size (standard → micro → nano → eSIM), every decade of carrier branding, framed.
Create a "minimal phone" ritual. One week/month dumb-phone-only as an ongoing habit, documented.
Launch a prepaid-burner subscription service. Actually reasonably viable small business — buy prepaid phones in bulk, curate OPSEC kits, sell to journalists and activists.
Run a "phone detox" weekend event. Community workshop: surrender smartphones, spend 48 hours on provided Nokia 2780s, debrief after.

Lifetime

Become a carrier / MVNO. CBRS band + small business license + 100 customers = real tiny phone company. Has been done solo.
Write a book on phreak history / phone privacy aimed at non-technical readers. Space exists for this in 2026.
Fund and maintain a preservation archive of phone hardware and firmware. Your own or contribute to TOSEC / Dumps / No-Intro.
Volunteer with the EFF / ACLU on cellular surveillance issues. Real policy work.
Teach a community class on cell phone privacy and OPSEC. Local library, hackerspace, or maker space.

17 · Phone Finder

Every phone from this project in one filterable database — year, form factor, capabilities, US-carrier status, app-tracking exposure, and whether it's genuinely alive, nostalgia-only, or a dead museum piece. Search, filter by feature, and click the checkbox on any phone to add it to your wishlist. Checked phones pin to the top and persist in your browser across reloads. Two views available: the original card layout, or the classical table view (Phone Finder 2.0).

Status All Works in US 2G markets only Dead museum

Form All Flip Candybar QWERTY Slider Touch Foldable

Must have No GPS No Camera No Apps Rugged MIL-SPEC E-Ink PTT 5G Minimalist KaiOS WhatsApp Long battery Unique / Icon

Carrier All AT&T T-Mobile Verizon

Charger All USB-C Micro USB Lightning Mini USB Proprietary

Loading... [ reset filters ]